Data protection and working from home
Working from home can bring freedom, flexibility, and an increase in productivity – but it can also come with its own unique set of challenges. If you’re working from home, we’ve developed some guidance to help you remain compliant with UK data protection laws.
Having a ‘working from home’ policy is a vital part of the employee handbook and a vital part of your suite of company policies, not to mention a vital risk reduction strategy. This is mainly because working from home, presents a few specific personal data protection challenges and risks.
We’ve put together ten top tips, backed by the UK regulator, the Information Commissioners Office (ICO) to make sure that personal data protection is not a risk in your organisation.
- Follow your organisations policies, procedures, and guidance – Your organisation will have adapted their approach to ensure that personal data is adequately protected. Avoid the temptation to do things in a way you think is more convenient and keep to the organisational policies, procedures, and guidance. The company privacy notice will need updating to reflect home working and further staff data protection training may be required.
- Don’t mix organisation data with your own personal data – If you must work using your own device and software, keep your organisation’s data separate to avoid accidentally keeping hold of data for longer than is necessary. Ideally, your organisation should have provided you with secure technology to work with, in addition to any policies and procedures, such as a ‘data destruction and retention schedule’.
- Communicate securely with stakeholders – Use the communication facilities provided to you by your organisation where available. If you need to share data with others, then choose a secure messaging app or online document sharing system. If you must use email, which isn’t always secure, consider password protecting documents.
- Keep personal data and software up to date – If you’re using your own equipment, don’t be an easy target for hackers. Keep your security software up to date to make it more difficult for them to get in. If your organisation has provided you with technology to work from home, this should be managed for you. It is also a requirement under UK GDPR that all data subject’s personal data must be always kept up to date.
- Only use approved technology for handling personal data – If your organisation has provided you with technology such as hardware or software you should use it. This will provide the best protection for personal data and avoid any unnecessary risks.
- Use strong passwords – Whether using online storage, a laptop, or some other technology, it’s important to make your passwords hard to guess. The National Cyber Security Centre (NCSC) recommends using three random words together as a password (e.g., ‘networkbuildingclients’ or ‘networkbusinessthe’). Make sure you use different passwords for different applications & services too. We also recommend a password manager application.
- Be extra vigilant about opening web links and attachments in emails or other messages – Don’t click on unfamiliar web links or attachments claiming to give you important coronavirus updates for example regards government financial support. We’re seeing a rise in scams so follow the National Cyber Security Centre’s (NCSC) guidance on spotting suspicious emails.
- Take care with print outs – At the office, it is likely you can use confidential waste bins. At home you won’t have that facility. Follow your organisation’s guidance or safely store print outs until you can take them into the office, or an approved secure destruction contractor can dispose of them securely. Refer to the organisations data destruction and retention schedule. Never place personal data into the general waste or other household bins, as this could lead to personal data breaches.
- Consider confidentiality when holding conversations or using a screen – You may be sharing your home working space with other family members or friends. Try to hold conversations, where they are less likely to overhear you and position your screen where it is less likely to be overseen. This is the same in co-working and office share spaces.
- Lock it away where possible – To avoid loss or theft of personal data, put print outs and devices away at the end of the working day if possible. Ideally this needs to be in locked office furniture, cupboards, or drawers. If you work in a garden office, annexe, or external building to the main property, bring all personal data and devices into the main property at the end of each working day.
Data protection is a risk-based approach, focusing on mitigating and reducing risks, whilst promoting security for all data subject’s (including your own staff) personal data.
It is the legal responsibility of the Data Controller (legal owner of the data) to ensure that all personal data is protected when being acted upon by Data Processors (staff working from home), whilst always remembering that processing must be transparent, necessary, limited to the legitimate interest it is being processed for, kept up to date and kept secure.
Adhering to these personal data protection principles and top tips, whilst having a robust ‘working from home’ policy, will lead to higher rates of stakeholder retention and the increased acquisition of high-quality new clients and staff.
Article by Chris Burn – Director